JP2024007617A - Processor circuit, version management method, and version management program - Google Patents

Abstract

To reduce a capacity of a memory in which a counter for managing a version of software is provided.SOLUTION: A processor circuit for managing a version of software to be activated includes: a nonvolatile memory that holds a first counter value of a first counter and a second counter value of a second counter; and an activation control unit that updates the first counter value and maintains the second counter value when upgrading the version of the software, maintains the first counter value and updates the second counter value when downgrading the version of the software, and activates the software when the version of the software to be activated is equal to a check value for version confirmation indicated by a difference between the first counter value and the second counter value.SELECTED DRAWING: Figure 1

Description

The present invention relates to a processor circuit, a version control method, and a version control program.

In order to protect firmware from rollback attacks, a method is known in which a firmware version is stored in an OTP (One Time Programmable) memory and the version can only be updated in an upward direction. For example, firmware versions are held as major versions in OTP memory and as minor versions in nonvolatile memory (see, for example, Patent Document 1).

Japanese Patent Application Publication No. 2021-179982

However, when managing firmware versions using OTP memory to protect firmware from rollback attacks, it is not easy to revert firmware to an older version. For this reason, for example, when a problem occurs in firmware, it is not easy to perform tests while switching versions, which reduces firmware debugging efficiency.

For example, by providing a plurality of counters for version management in the OTP memory and switching the counters used for version management, it becomes possible to easily return the firmware to an older version. However, in this case, it is necessary to provide counters for more than the expected number of switchings, which increases the capacity of the OTP memory.

In one aspect, the present invention aims to reduce the memory capacity in which a counter for managing software versions is provided.

According to one aspect, the processor circuit is a processor circuit that manages a version of software to be activated, and includes a non-volatile memory that retains a first counter value of a first counter and a second counter value of a second counter. , updating the first counter value and maintaining the second counter value when increasing the software version, and maintaining the first counter value and updating the second counter value when decreasing the software version. and an activation control unit that activates the software when the version of the software to be updated and activated is equal to a check value for version confirmation indicated by the difference between the first counter value and the second counter value.

It is possible to reduce the memory capacity in which a counter for managing software versions is provided.

1 is a block diagram illustrating an example of a motherboard on which a processor circuit according to an embodiment is mounted. FIG. FIG. 2 is an explanatory diagram showing an example of managing firmware version updates using the counter in FIG. 1; 2 is a flow diagram illustrating an example of a firmware update operation by the processor circuit of FIG. 1. FIG. FIG. 3 is a block diagram illustrating an example of a motherboard on which a processor circuit according to another embodiment is mounted. 5 is an explanatory diagram showing an example of managing firmware version updates using the counter of FIG. 4. FIG. It is a block diagram which shows another example of the counter in the embodiment mentioned above. FIG. 3 is a block diagram illustrating an example of a motherboard on which a processor circuit according to another embodiment is mounted.

Embodiments will be described below with reference to the drawings.

FIG. 1 shows an example of a motherboard on which a processor circuit according to an embodiment is mounted. The processor circuit 10 shown in FIG. 1 is, for example, a CPU (Central Processing Unit). The processor circuit 10 is mounted on a motherboard 100 along with a firmware storage area 20 in which firmware 22 is stored. Firmware 22 is an example of software.

The processor circuit 10 and the firmware storage area 20 may each be mounted on the motherboard 100 in the form of a chip, or may be mounted on the motherboard 100 in the form of an integrated chip. For example, the motherboard 100 is installed in an information processing device such as a server, a supercomputer, or a PC (Personal Computer), and realizes the functions of the information processing device.

The firmware 22 held in the firmware storage area 20 is executed by a CPU core installed in the processor circuit 10 or the like. Although not particularly limited, for example, the firmware storage area 20 is allocated in an electrically rewritable memory such as a flash memory, and can be overwritten with firmware to be updated. Note that the firmware storage area 20 may be allocated within a memory in which one or both of an OS (Operating System) and an application program executed by the processor circuit 10 are stored.

The processor circuit 10 includes a version storage section 12, a version verification section 14, and a write control section 16. The version verification unit 14 and the write control unit 16 are examples of a startup control unit. The version storage unit 12 has counters 12a and 12b used to manage the version of the firmware 22. For example, the version storage unit 12 is provided in an on-chip OTP (One Time Programmable) memory. The version storage unit 12 is an example of nonvolatile memory. The counter 12a is an example of a first counter, and the counter 12b is an example of a second counter.

For example, since OTP memory stores bit information in each of a plurality of E-fuses, information written in each bit (E-fuse) of the OTP memory cannot be rewritten. That is, the OTP memory allows each value of multiple bits to be written only once. The OTP memory of this embodiment cannot return the value of a bit to which "1" has been written to "0". Therefore, for example, in the counter 12a, the number of bits holding "1" is increased each time the version is increased.

The counter value CNTa of the counter 12a and the counter value CNTb of the counter 12b are indicated by the number of bits set to "1". Further, the check value for version confirmation is indicated by the difference (CNTa-CNTb) between the counter values CNTa and CNTb. The check value indicates the version of firmware 22 that can be activated. An example of the use of counters 12a, 12b is illustrated in FIG. Counter value CNTa is an example of a first counter value, and counter value CNTb is an example of a second counter value.

When the firmware 22 held in the firmware storage area 20 is activated, the version verification unit 14 compares the version of the firmware 22 to be activated with the check value of the version held in the version storage area 12 . The version verification unit 14 then performs normal startup processing, version upgrade processing, or error processing (stopping startup) of the firmware based on the comparison between the version of the firmware 22 and the difference between the counter values CNTa and CNTb. Determine whether to do so.

If the version of the firmware 22 to be activated is greater than the difference between the counter values CNTa and CNTb, the version verification unit 14 issues an instruction to the write control unit 16 to increase the counter value CNTa of the counter 12a. If the version of the firmware 22 to be activated is equal to the difference between the counter values CNTa and CNTb, the version verification unit 14 causes the processor circuit 10 to execute the process of starting the firmware 22. If the version of the firmware 22 to be activated is smaller than the difference between the counter values CNTa and CNTb, the version verification unit 14 notifies the error processing unit of the processor circuit 10 of the occurrence of an error.

The write control unit 16 controls write operations of the counters 12a and 12b. The write control unit 16 performs a write operation to update the counter value CNTa of the counter 12a based on instructions from the version verification unit 14. Further, when performing a rollback process to lower the version of the firmware 22, the write control unit 16 performs a write operation of the counter 12b based on a dedicated procedure for writing to the counter 12b, and updates the counter value CNTa. . For example, a dedicated procedure for writing to the counter 12b may be password authentication or public key authentication. Note that the dedicated procedure for writing to the counter 12b is not limited to password authentication or public key authentication, but may also be biometric authentication or the like. By employing a dedicated procedure for writing to the counter 12b, security against rollback of the firmware 22 can be ensured.

For example, the operations of the version verification unit 14 and the write control unit 16 are realized by a version management program executed by the processor circuit 10. Then, the version control method is realized by executing the version control program. Further, the error processing section may be realized by an error processing program executed by the processor circuit 10. Note that one or more of the version verification section 14, the write control section 16, and the error processing section may be realized by hardware.

FIG. 2 shows an example of managing firmware version updates using the counters 12a and 12b of FIG. The operation shown in FIG. 2 shows an example of a version management method implemented by the version verification unit 14 and the write control unit 16. Moreover, the operation shown in FIG. 2 shows an example of the operation by the version control program executed by the processor circuit 10.

The counter values CNTa and CNTb of the counters 12a and 12b are incremented by setting bit values to "1" from the least significant bit to the most significant bit. It is not possible to rewrite the bit value from "1" to "0". The check value of the firmware version set in the version storage unit 12 is indicated by the difference (CNTa−CNTb) between the counter values CNTa and CNTb. "4'b" or "5'b" shown at the beginning of the counter values CNTa, CNTb indicates 4 bits of binary number or 5 bits of binary number, respectively.

FIG. 2A shows an example of the operation of the counters 12a and 12b when increasing the firmware version (check value). In FIG. 2A, the version of the firmware 22 is sequentially updated from "0" to "4" from state A0 to state A4. Since the counter value CNTb of the counter 12b is maintained at "0", the counter value CNTa indicates the check value. If the counter value CNTa matches the firmware 22 to be activated, the firmware 22 is activated.

FIG. 2B shows an example of the operation of the counters 12a and 12b when a problem occurs after the version of the firmware 22 is updated and the version (check value) is rolled back to the previous version. When returning the version (check value), before starting the firmware 22, the counter value CNTb of the counter 12b is incremented by the difference between the current version and the version after returning.

Note that in the initial state B0 of FIG. 2(B), the counter value CNTa is "4'b0111=3", so the version of the bootable firmware 22 is "3". In this example, in order to return the version to the previous version, the counter value CNTb is increased by "1" from "4'b0000" in state B0 to "4'b0001" in state B1. By increasing the counter value CNTb by "1", the version of the bootable firmware 22 becomes "2".

As described above, the counter value CNTb is updated by transitioning to a rollback-only state using password authentication, public key authentication, or the like to ensure security. Note that if a dedicated state is prepared for the purpose of testing or debugging the device with guaranteed security, the counter value CNTb may be updated according to the procedure.

After this, when starting the firmware 22 with version="3", the counter value CNTa is incremented by "1" from "4'b0111" in state B1 and updated to "4'b1111" in state B2. As a result, the check value held in the version storage section 12 returns to "3", and the firmware 22 with version="3" can be activated.

FIG. 2C shows an example of the operation of the counters 12a and 12b when the number of bits in the counters 12a and 12b is one bit larger than that in FIG. 2B. States C0 to C2 in FIG. 2(C) are similar to states B0 to B2 in FIG. 2(B), except that the number of bits of the counters 12a and 12b are different. By increasing the number of bits of the counters 12a and 12b by 1 bit, even if the version is returned to the previous version, the version of the bootable firmware 22 can be updated to "4" thereafter.

Note that when the version (check value) is returned, the maximum value of the check value that can be expressed by the counter values CNTa and CNTb becomes smaller. For example, in the 4-bit counter 12a shown in FIG. 2(B), the version cannot be set to "4". In the 4-bit counter 12a shown in FIG. 2(C), the version cannot be set to "5". For this reason, the number of bits of the counters 12a and 12b is designed in accordance with the maximum number of versions and the maximum number of rollbacks, taking into consideration the assumed operating status of the firmware. In FIG. 2, the number of bits of the counters 12a and 12b is set to 4 bits or 5 bits, but the number of bits of the counters 12a and 12b can be set to any value depending on the maximum number of updates of the firmware 22 version. can.

FIG. 3 shows an example of a flow of a firmware update operation by the processor circuit 10 of FIG. 1. The processor circuit 10 starts the firmware activation process shown in FIG. 3 based on the activation of the device on which the motherboard 100 is installed.

First, in step S10, the write control unit 16 determines whether or not a dedicated procedure for writing to the counter 12b has been received. When the write control unit 16 receives the dedicated procedure, the process moves to step S12, and when the dedicated procedure is not received, the write control unit 16 moves the process to step S14 in order to perform normal firmware startup processing.

In step S12, the write control unit 16 performs authentication processing etc. according to a dedicated procedure, updates the counter value CNTb of the counter 12b to the instructed value based on the success of the authentication processing, and performs the processing shown in FIG. finish. Note that after the counter 12b is updated, the device on which the motherboard 100 is mounted is restarted. As a result, the process shown in FIG. 3 is performed again after updating the counter 12b.

In step S14, the version verification unit 14 reads the version of the firmware 22 to be activated from the firmware storage area 20. Next, in step S16, the version verification unit 14 compares the read version with the difference (CNTa−CNTb; check value) between the counter values CNTa and CNTb read from the counter 12a and the counter 12b.

Next, in step S18, if the read version is larger than the difference (CNTa-CNTb), the version verification unit 14 performs processing to match the check value held in the version storage unit 12 with the version of the firmware 22 to be activated. The process moves to step S20. If the read version is equal to the difference (CNTa−CNTb), the version verification unit 14 moves the process to step S22 because the firmware 22 read from the firmware storage area 20 can be activated. If the read version is smaller than the difference (CNTa-CNTb), the version verification unit 14 detects an error in the startup process of the firmware 22, and moves the process to step S24 to stop the startup of the firmware 22.

In step S20, the version verification section 14 notifies the write control section 16 of the difference between the version of the firmware 22 to be activated and the check value (CNTa-CNTb). The write control unit 16 increases the counter value CNTa of the counter 12a based on the received difference until the check value (CNTa−CNTb) becomes equal to the version of the firmware 22. After step S20, the process moves to step S22. In step S22, the version verification unit 14 completes the version management process, instructs the processor circuit 10 to start the firmware 22, and ends the process shown in FIG. 3. After the firmware 22 is started, for example, the OS is started.

In step S24, the version verification unit 14 causes the processor circuit 10 to stop starting the firmware 22. The version verification unit 14 also outputs the occurrence of an error and an instruction to stop the startup of the device in which the motherboard 100 is installed to the error processing unit of the processor circuit 10, and the process shown in FIG. 3 ends (startup failure). This makes it possible to prevent an incorrect version of the firmware 22 from being activated.

As described above, in this embodiment, the write control unit 16 updates one of the two counters CNTa and CNTb provided in the version storage unit 12, which is a non-volatile memory, when increasing the version, and updates the other when decreasing the version. Update. Thereby, the version can be increased or decreased multiple times using the two counters CNTa and CNTb. As a result, the memory capacity for managing versions of software such as firmware can be reduced.

The version can be increased by increasing the counter value CNTa, and the version can be decreased by increasing the counter value CNTb. Therefore, for example, version upgrades and version downs can be easily managed using a check value that is the difference between the counter values CNTa and CNTb of the counters 12a and 12b provided in the OTP memory. For example, when the version of the firmware 22 to be activated is greater than the check value, the version can be easily upgraded by updating the counter value CNTa until the check value and the version of the firmware 22 to be activated become equal.

If the version of the firmware 22 to be activated is smaller than the difference (CNTa-CNTb), the version verification unit 14 detects an error in the activation process of the firmware 22 and stops the activation of the firmware 22. This makes it possible to prevent an incorrect version of the firmware 22 from being activated.

The counter value CNTb used when rolling back the version is updated based on a dedicated procedure for writing to the counter 12b, such as during authentication processing, thereby ensuring both security and operability in firmware version management. be able to. Here, operability includes, for example, the ability to quickly roll back a version and conduct a test when a problem occurs with firmware, and thereby suppress a decline in firmware debugging efficiency. On the other hand, if a device needs to be replaced in order to perform a firmware rollback, a quick rollback is difficult.

Note that a device such as a server on which the motherboard 100 is mounted is often connected to a network, and there is a risk that it will be subjected to a cyber attack via the network. Even in such a case, it is possible to prevent unauthorized rollback of the firmware 22, and it is possible to reduce the possibility of malfunctions such as the device being infected with a computer virus. As a result, it is possible to suppress a decrease in reliability of a device such as a server on which the motherboard 100 is mounted.

FIG. 4 shows an example of a motherboard on which a processor circuit according to another embodiment is mounted. Elements similar to those in FIG. 1 are denoted by the same reference numerals, and detailed description thereof will be omitted. The processor circuit 10A shown in FIG. 4 is, for example, a CPU, and is mounted on the motherboard 100A together with a firmware storage area 20 in which firmware 22 is stored.

The motherboard 100A has the same configuration as the motherboard 100 in FIG. 1 except that a processor circuit 10A is mounted in place of the processor circuit 10 in FIG. The processor circuit 10A has the same configuration as the processor circuit 10 in FIG. 1 except that it has a version storage section 12A instead of the version storage section 12 in FIG.

The version storage unit 12A is the same as the version storage unit 12 in FIG. 1, except that a counter 12c is installed instead of the counter 12b in FIG. The counter 12c generates a counter value CNTc. The version storage unit 12A is an example of nonvolatile memory. The counter 12a that holds the counter value CNTa is an example of a first nonvolatile memory. The counter 12c that holds the counter value CNTc is an example of a second nonvolatile memory.

For example, the counter 12c is provided using a nonvolatile memory such as a flash memory in which each value of a plurality of bits can be rewritten multiple times. Therefore, the counter 12c can operate as a normal binary counter, and the counter value CNTc is expressed in binary. Therefore, the number of bits used can be saved compared to the counter 12b of FIG. 1 in which the counter value CNTb is indicated by the number of bits set to "1". That is, the memory resources used for the counter 12c can be further reduced compared to FIG. For example, when counting from "0" to "4", the counter 12b in FIG. 1 uses 4 bits, but the counter 12c only needs to use 3 bits. Further, when the counter 12c has 4 bits, it can count from "0" to "15".

If a non-volatile memory such as a flash memory is used for the counter 12c, the value of the bit to which "1" has been written can be returned to "0". However, writing to the counter 12c is performed by the write control unit 16 using a dedicated procedure for writing to the counter 12c, such as password authentication or public key authentication. Therefore, it is possible to prevent an incorrect value from being written to the counter 12c, and it is possible to prevent an incorrect rollback of the firmware. Note that the dedicated procedure for writing to the counter 12c is not limited to password authentication, public key authentication, or the like.

FIG. 5 shows an example of managing firmware version updates using the counters 12a and 12c shown in FIG. Detailed description of operations similar to those in FIG. 2 will be omitted. FIG. 5A shows an example of the operation of the counters 12a and 12c when a problem occurs after the version of the firmware 22 is updated and the version is rolled back two versions. Similarly to FIG. 2B, when returning the version, before starting the firmware 22, the counter value CNTc of the counter 12c is incremented by the difference between the current version and the version to be returned.

In this example, the counter value CNTc is increased by "2" from "4'b0000" in state A0 to "4'b0010" in state A1 in order to return the version two versions earlier. As a result, the difference between the counter values CNTa and CNTc becomes "1", and it becomes possible to start the firmware 22 whose version is "1". Note that in the initial state A0, the counter value CNTa is "5'b00111" = "3", so the version of the bootable firmware 22 is "3".

The flow of the firmware update operation by the processor circuit 10A in FIG. 4 is the same as that in FIG. 3. Therefore, the counter value CNTa of the counter 12a is updated if the version of the firmware 22 is larger than the check value that is the difference between the counter values CNTa and CNTc during normal startup of the firmware 22. Further, since the OTP memory is used for the counter 12a, it is updated only in the increasing direction. Therefore, for example, even if the counter 12a is maliciously updated, the update will only be to a value larger than the current version, and the device will not be able to start up after the update. Further, since the counter value CNTc can be updated only in step S12 of FIG. 3, updating of the counter value CNTc of the counter 12c is prohibited under any conditions during normal startup of the firmware 22. Therefore, the security of the device regarding the firmware version can be ensured.

After this, when the firmware 22 with version="2" is started again, the counter value CNTa is updated from "5'b00111" in state A1 to "5'b01111" in state A2. As a result, the version held in the version storage unit 12 is set to "2". Further, when the firmware 22 with version="3" is restarted, the counter value CNTa is updated from "5'b01111" in state A2 to "5'b11111" in state A3. As a result, the version held in the version storage unit 12 is set to "3". In FIG. 5 as well, the number of bits of the counters 12a and 12c is designed in accordance with the maximum version and the maximum number of rollbacks, taking into account the assumed operating status of the firmware.

FIG. 6 shows another example of the counter in the embodiment described above. In FIG. 6A, the number of bits of the counter 12a (OTP) in FIG. 1 is 96 bits, and the number of bits of the counter 12b (OTP) in FIG. 1 is 32 bits. As a result, the number of versions that can be rolled back can be increased to "32" at most. Furthermore, even when the maximum number of rollbacks is performed, it is possible to support versions up to "64".

In FIG. 6B, the number of bits of the counter 12a (OTP) in FIG. 4 is 96 bits, and the number of bits of the counter 12c (flash memory) in FIG. 4 is 6 bits. Since the counter value CNTc of the counter 12c is expressed in binary, it can be set to a value from "0" to "63" that is equal to or greater than the rollback that can be realized by the counter 12b. Therefore, memory resources can be reduced.

As described above, in this embodiment as well, the same effects as in the above-described embodiment can be obtained. For example, the two counters CNTa and CNTc can increase or decrease the version multiple times, and the memory capacity for managing versions of software such as firmware can be reduced. By using a check value that is the difference between the counter values CNTa and CNTc of the counters 12a and 12c, version upgrades and version downs can be easily managed.

Furthermore, in this embodiment, the counter 12c is provided using a non-volatile memory such as a flash memory that can operate as a normal binary counter, so the number of bits used is reduced compared to the counter 12b of FIG. can do. As a result, the memory resources used for the counter 12c can be further reduced compared to FIG.

FIG. 7 shows an example of a motherboard on which a processor circuit according to another embodiment is mounted. Elements similar to those in FIG. 1 are denoted by the same reference numerals, and detailed description thereof will be omitted. The motherboard 100B shown in FIG. 7 includes a CPU 10B, a firmware storage area 20, and a TPM (Trusted Platform Module) 30 including various functions related to security. The motherboard 100A is the same as the motherboard 100 in FIG. 1, except that a CPU 10B is mounted in place of the processor circuit 10 in FIG. 1, and a TPM 30 is newly mounted. Note that in this embodiment, the motherboard 100B operates as a processor circuit. In the following, the motherboard 100B is also referred to as the processor circuit 100B.

The CPU 10B is similar to the processor circuit 10 in FIG. 1 except that it has a version storage section 12B instead of the version storage section 12 in FIG. The version storage unit 12B is equipped with only a counter 12b (on-chip OTP memory) that generates a counter value CNTb. The version storage unit 12B is an example of nonvolatile memory.

In this embodiment, the counter 12a is mounted on the TPM 30, which is a security chip including a security function. Therefore, when the firmware 22 held in the firmware storage area 20 is activated, the version verification unit 14 checks the counter value CNTa held in the counter 12a in the TMP 30 and the counter value held in the counter 12b of the version storage unit 12. CNTb is read out and compared. The firmware update operation by the CPU 10B in FIG. 7 is the same as in FIGS. 2 and 3.

As shown in FIG. 7, for example, if the TPM 30 is already mounted on the motherboard 100B, the counter 12a can be realized using the TPM 30, so that the resources for providing the counter 12a can be reduced. In this way, since the counter 12a (OTP) can be mounted at any location accessible from the version verification unit 14, the barrier to incorporating the version verification method of the firmware 22 into the motherboard 100B can be lowered.

As described above, in this embodiment as well, the same effects as in the above-described embodiment can be obtained. For example, the two counters CNTa and CNTb can be used to increase or decrease the version multiple times, and the memory capacity for managing versions of software such as firmware can be reduced. Using the check value, which is the difference between the counter values CNTa and CNTb of the counters 12a and 12b, version upgrades and version downs can be easily managed.

Furthermore, in this embodiment, if the TPM 30 is already mounted on the motherboard 100B, the counter 12a can be realized using the TPM 30, and the resources for providing the counter 12a can be reduced. Since the counter 12a (OTP) can be mounted at any location accessible from the version verification unit 14, it is possible to lower the barrier to incorporating the version verification method of the firmware 22 into the motherboard 100B.

The features and advantages of the embodiments will become apparent from the above detailed description. It is intended that the appended claims extend to the features and advantages of such embodiments without departing from the spirit and scope thereof. Additionally, all improvements and changes will be readily apparent to those having ordinary knowledge in the relevant technical field. Therefore, it is not intended that the scope of the inventive embodiments be limited to those described above, but suitable modifications and equivalents may be made within the scope disclosed in the embodiments.

10, 10A, 10B Processor circuit 12, 12A, 12B Version storage section 12a, 12b, 12c Counter 14 Version verification section 16 Write control section 20 Firmware storage area 22 Firmware 30 TPM
100, 100A, 100B Motherboard CNTa, CNTb, CNTc Counter value

Claims (9)

A processor circuit that manages the version of software to be started,
a non-volatile memory that retains a first counter value of a first counter and a second counter value of a second counter;
When increasing the software version, the first counter value is updated and the second counter value is maintained; when the software version is decreasing, the first counter value is maintained and the second counter value is updated. and a startup control unit that starts the software when the version of the software to be started is equal to a check value for version confirmation indicated by the difference between the first counter value and the second counter value. . The nonvolatile memory that holds the first counter value and the second counter value is capable of writing each value of a plurality of bits only once,
The startup control unit writes a value to one of the plurality of bits of the first counter when incrementing the software version by one;
The processor circuit according to claim 1, wherein the check value is indicated by the difference between the number of bits in which a value is written in the first counter and the number of bits in which a value is written in the second counter. The activation control unit updates the first counter value when the version of the software to be activated is greater than the check value, until the check value and the version of the software to be activated become equal. 2. The processor circuit according to 2. The processor circuit according to claim 1 or 2, wherein the activation control unit stops activation of the software when a version of the software to be activated is smaller than the check value. The processor circuit according to claim 1 or 2, wherein the activation control unit updates the counter value of the second counter based on a successful authentication process. The non-volatile memory includes a first non-volatile memory that holds the first counter value and a second non-volatile memory that holds the second counter value,
The first nonvolatile memory is capable of writing each value of a plurality of bits only once,
The processor circuit according to claim 1, wherein the second nonvolatile memory is capable of rewriting each value of a plurality of bits multiple times. The processor circuit according to claim 1 or 2, wherein the first counter is mounted on a security chip including a security function. A version management method using a processor circuit that has a nonvolatile memory that holds a first counter value of a first counter and a second counter value of a second counter, and manages a version of software to be activated,
updating the first counter value and maintaining the second counter value when upgrading the software version;
maintaining the first counter value and updating the second counter value when lowering the version of the software;
The version control method includes starting the software when the version of the software to be started is equal to a check value for version confirmation indicated by the difference between the first counter value and the second counter value. A version management program that is executed by a processor circuit that has a nonvolatile memory that holds a first counter value of a first counter and a second counter value of a second counter, and that manages a version of software to be activated,
updating the first counter value and maintaining the second counter value when upgrading the software version;
maintaining the first counter value and updating the second counter value when lowering the version of the software;
a version control program that causes the processor circuit to execute a process of activating the software when the version of the software to be activated is equal to a check value for version confirmation indicated by the difference between the first counter value and the second counter value; .

Images